Procedure:
- Configure network device for port mirroring/SPAN mode
- Connect IPS/TPS device "Segment A" to network device (mirroring/SPAN port), leave "Segment B” open
- Enable IDS mode
TPS:
On the LSM, IDS mode is enabled on the Settings preferences page (Policy -> Settings). When IDS Mode settings are changed, the device must be rebooted for the change to take effect.
Important: Changing IDS Mode does not change Performance Protection mode. For best results, when enabling IDS Mode, go to the System -> Settings -> Log Configuration -> Performance Protection page and change Performance Protection to Always log Alert and Block events mode.
SMS
On the SMS client, go to Devices and choose your device from the list on the left or the window on the right. Once selected, choose "Device Configuration". Another window will pop up, and in this window, choose "TSE Settings" on the left. On the right side, click the "IDS Mode" check box and press "OK" to continue. Once again, this will require a reboot.
Note: Using the IPS/TPS device in a mixed configuration is not supported. If the IPS/TPS device will be used in an IDS configuration, it is an IDS device. Use the IPS/TPS as either an IDS or IPS device, but not both. Attempting to run in mixed mode will lead to performance issues.
Definitions:
Port Mirror / SPAN Mode: A port mirror is active packet duplication, meaning that a network device (switch/router) has to physically copy packets onto the mirrored port. The device must carry out this task by using some resources (e.g., CPU), and both traffic directions will be copied into the same port.
Network TAP: This entails either electrically or optically copying packets from the tap port.